Thursday, December 29, 2011

2011 Redux

I started this blog just a few months ago and it's been something of a learning experience. Someday maybe I'll talk about that, but not in this post. What I'm here to talk about is regret -- regret that there are so many things I missed the opportunity to blog about in 2011.

Since I'm finally done traveling and the alternative is to actually be productive, I thought this might be a good opportunity to make up for some of that lost blogging ground. Hence this post: my attempt to sum up what's happened in practical cryptography in 2011.

Before anyone objects, I'm going to clarify the ground rules. This list is naturally incomplete, and moreover, I'm going to take 'practical' seriously. That rules out reduced-round attacks (on anything); improvements in Fully-Homomorphic Encryption (getting faster!); and any paper with 'composable' in the title. I will cover implementation and usability issues. But I don't really plan to take any of my own rules that seriously. If you think I missed something important, please feel free to follow up in comments.

Phishers don't mess with the
imaginary SecurID key storage facility.

SecurID not so secure after all. RSA's SecurID has become practically synonymous with two-factor authentication. And it's not a bad system. Back in 2010 if you'd asked me about the most likely avenue for a compromise, I would have guessed (a) theft of secrets from a local SecurID server, or (b) some kind of bug in the authentication software.

In retrospect this seems a bit naive, but really: SecurID was everywhere. Even military contractors used it. If local banks had learned to store their secrets in hardware security modules, then certainly RSA would take modest precautions with something as important as their master seed database.

What 2011 taught us is that just because you think something will be done a certain way, it won't necessarily be so. Perhaps 2012 will be different.

Still more attacks on AES. I promised to keep this to the practical, and the latest attacks against AES certainly aren't. The best of them still only shave a couple of bits off of the security of an AES key (although the new attacks don't depend on related keys).

Still, AES is such an important cipher that any reduction in its security margin is going to have some kind of practical impact. The question now is what lies down the road: (a) an improved AES beefed up with additional rounds, (b) a new standards competition, (c) apathy, or (d) something even weirder. Maybe 2012 will put us on a path to finding that answer.

D-Wave actually builds a quantum computer. With two caveats: it's not really a computer, and it may or may not be quantum.

In case you've never heard of D-Wave, they're a private company that purports to sell the first working adiabatic quantum computer, complete with "128 pair-wise coupled superconducting flux qubits". If you're not sure what to make of this, you're not the only one. Thanks to D-Wave's NDA-heavy business model, there's been some doubt in learned quarters as to whether the D-Wave device actually performs useful quantum computation at all.

But D-Wave has an active and respectable research department. Just this past May they published an article in Nature demonstrating apparent quantum tunneling amongst eight qubits. This is a far cry from the 128 qubits claimed in their commercial products, it doesn't demonstrate entanglement, and of course, it doesn't result in computation. Still it's not nothing. So does this mean practical implementations of Shor's algorithm are just around corner? Probably not.

TLS falls to the BEAST. This fall Thai Duong and Juliano Rizzo raised the pulse of the security industry by demonstrating the most exciting practical attack against SSL/TLS in years. This attack is dear to my heart because it's one of the first attacks I wrote about on this blog.

BEAST is based on a five year-old academic attack on a twelve year oldstandard. Now there's a bit more to the attack that Rizzo/Duong implemented, but still --- how in the world does such a thing stay in the wild so long? A colleague describes Rizzo/Duong's research strategy as 'working their way through the Eurocrypt archives, actually exploiting the theoretical vulnerabilities that academics couldn't be bothered to follow through on'. If this sounds dismissive, it wasn't -- he only wished that he'd done it first.

Lesson: there's a hell of a gap between academic crypto and 'the real world'. We're only safe as long as you believe in attackers who are sophisticated enough to spear-phish SecurID, but not bright enough to read a crypto paper. Time will tell if that belief is a good one.

Nothing much happens with hash functions. Well, that's a bit unfair. Things did happen, and there are some papers to show for it. The SHA3 finalists, announced late last year, continued to percolate through the system. (Go BLAKE!) Still, 2011 was a huge disappointment for those of us you who thought that it would be the year of SHA1 collisions. I guess there's always 2012.

Unsigned code running on iOS. Many cryptographers would exclude this from a list of 'crypto' happenings. Still, a theme of this blog is that your crypto doesn't matter if your implementation undermines it.

This is exactly what Charlie Miller demonstrated when he showed how to execute malicious application code on an iPhone. Even though iOS devices are only supposed to run signed code, it turns out that a few bad checks created a tiny section of memory in which these requirements were irrelevant. To thank him, Apple created a tiny section of their developer program in which Charlie Miller is irrelevant.

Certificate Authorities still a giant mess. Some will say I'm exaggerating -- there were only a few major hacks this year, notably Dutch CA DigiNotar, and a smaller CA called Gemnet. But don't forget, Microsoft also revoked Digicert Malaysia -- not because they were hacked, but for using 512-bit RSA keys to sign certificates (!!) And this is only a partial list of the problems we know about. All in all, it was not a good year to be a CA.

Secure police radios not all that secure.APCO Project 25 is a digital radio standard used by law enforcement. Naturally it supports encryption -- a valuable tool when you're discussing a confidential source or razzing those Occupy protestors. And the P25 encryption itself isn't half bad (it's unauthenticated AES). Rather, the problem with P25 is that simply getting encryption turned onis a daunting prospect -- to the point where it often doesn't happen.To illustrate the problem, a team from UPenn spent two years snarfing up confidential traffic. The agents generating most of this traffic either thought it was encrypted, or would have encrypted it if only they could've figured out how to set the keys. Still more evidence that usability is every bit as important as crypto, implementation, or any other issue that we come across in our field.

XML Encryption nearly as awful as XML itself. This fall brought news of a clever attack on the unauthenticated W3C XML Encryption standard. The attack, by researchers Tibor Jager and Juraj Somorovsky, used various features of XML encoding to implement what I would call a 'padding oracle attack-plus-plus' -- which completely decrypts protected XML on Axis2 and JBoss systems.

The W3C response: "We are so sorry for promulgating this terrible standard and recommend that you never, ever listen to anything we say regarding security every again." No, of course I'm just kidding. Actually, they're adding AES-GCM as an option. Should take care of everything.

Quantum key distribution still a work in progress. Quantum Key Distribution (QKD), sometimes known as 'quantum crypto' is a promising technique for distributing keys over geographic distances without the need to rely on complicated stuff like hard mathematical problems. Instead, you just need to run direct fiber-optic cables to the person you want to communicate with (much easier). On the bright side, the security of QKD is supposedly based on fundamental quantum-physical properties.

In general, the caveat in any QKD design is that security only holds if the physical device works as expected. This year researchers from Singapore and Norway showed that this is a big assumption: by exploiting certain limitations of existing detector equipment, they were able to extract an entire secret key without anyone being the wiser. None of these attacks are fundamental 'breaks' of QKD, and indeed they've already been mitigated. But it goes to show how you should never trust a system just because someone tells you it's 'theoretically unbreakable'.

And that's 2011. I'm sure I'm missing tons of important stuff -- and that's what comments are for. Please enjoy the rest of your holidays and be safe in the new year.

2 comments:

That I think covers everything granted even I had not heard about D-Wave Quantum Computer:P But shouldnt you include the The Baseband Apocalypse presentation that demonstrated the exploitations of memory corruption in GSM stacks that result in malicious code being executed on the baseband processors.

Good stuff. So do you know anything about physical home security systems? There are a lot of wireless video/DVR options out there now. I understand a fair amount about digital security but not nearly as much about physical security...

About Me

I'm a cryptographer and research professor at Johns Hopkins University. I've designed and analyzed cryptographic systems used in wireless networks, payment systems and digital content protection platforms. In my research I look at the various ways cryptography can be used to promote user privacy.